This is a simple project that uses XDP and Dropbox's gobpf library for filtering received packets based on their IP address.
The firewall contains 2 parts:
- The Kernel
eBPF
code written inC
that needs to be compiled toELF
(Clang, llvm, etc) - the Userspace Code written in
Go
that handles the logic of the firewall
We'll be using Clang to compile the eBPF
code to ELF
:
$ apt-get install clang llvm make
You can either run make
on the root directory to build the ELF
file, or use clang
:
# Use tha make command
$ make
# Use Clang to compile to ELF
$ cd bpf
$ clang -I ../headers -O -target bpf -c xdp_drop.c -o xdp_drop.elf
The ELF
file has to be named xdp_drop.elf
because it's hardcoded into the source code.
Running an XDP/eBPF program, we're going to be needing root permission, because all processes that intend to load eBPF programs into the Linux kernel must be running in privileged mode.
We also need to pass in the -iface
flag with the value of the interface we want XDP to attach to. We'll attach lo
in this example:
$ go build # or make build
$ sudo ./xdp-blocker -iface lo
I've created a simple API that you can use to block or unblock an IP Address with a given subnet.
- Block IP Address:
POST /v1/add-ip
- Unblock IP Address:
POST /v1/remove-ip
# Block IP Address(es)
$ curl -XPOST -H "Content-Type: application/json" localhost:8080/v1/add-ip -d '
{
"ipAddress": "X.X.X.X",
"subnet": "32"
}
# Unblock IP Address(es)
$ curl -XPOST -H "Content-Type: application/json" localhost:8080/v1/remove-ip -d '
{
"ipAddress": "X.X.X.X",
"subnet": "32"
}
Hitting CTRL-c
will detach the XDP Program and all blocked IP Addresses will be unblocked.